The POPI Act Countdown is On! Everything you need to know about POPIA compliance

The POPI Act Countdown is On! Everything you need to know about POPIA compliance

What is POPI?

POPI is South Africa’s data privacy law and it stands for the Protection of Personal Information Act, 2013. It is sometimes also referred to as POPIA. It governs when and how organisations collect, use, store, delete and otherwise handle personal information.

What is personal information under POPIA?

Generally speaking, personal information is any information that can be used to personally identify a natural or juristic (i.e. organisations) person. This information about a person includes, but is not limited to:

Personal information_web use

Who does POPI apply to?

POPI applies to all local and foreign organisations processing (i.e. collecting, using or otherwise handling) personal information in South Africa.

What does this announcement mean for your organisation?

You will have up until 1 July 2021 to become compliant. This means that although there will be no sanctions for non-compliance, you must work towards compliance. For most organisations, this is no easy feat as it requires an analysis of all personal information within your organisation, where you get it from and what you do with it.

It is recommended that organisations that have not yet started becoming compliant, do so as soon as possible or they could face fines, penalties and other adverse consequences in future. It is also a good time to commence a data privacy awareness programme within your organisation.

What do the final POPIA regulations deal with?

  • How a data subject can object to the processing of their personal information.
  • How a data subject can request the correction or deletion of information.
  • The responsibilities of an information officer. (Important!)
  • How to apply for the regulator to issue a code of conduct.
  • How to request marketing consent. (Important!)
  • How to submit a complaint to the regulator.
  • How the regulator will act as a conciliator in investigations.
  • What the regulator must do before it investigates you.
  • How the regulator will try to settle complaints.
  • How the regulator will conduct assessments.
  • How the regulator will notify people during investigations.

What is POPI compliance?

You will need to establish measures that ensure that you only collect, use, store, delete and otherwise handle personal information in permitted ways and that it is appropriately protected from unauthorised access or loss.

The measures that each organisation employs will be different, but in practice, it will mean more policies and procedures for your organisation and you will need to inculcate a culture of data protection in your organisation.

Does POPIA provide any benefit to businesses?

POPIA provides the opportunity to analyse and have more control over the data handled within your organisation and to better understand its purposes. As data is an increasingly valuable resource, better data management can increase the efficiency and effectiveness of any business.

What does POPI mean for consumers?

Consumers will benefit from POPI’s requirements in that their personal information must be protected and it can only be collected or handled where there is a lawful justification for doing so.

POPI gives consumers specific rights in respect of organisations handling their personal information and it gives consumers greater control over their personal information. Consumers are informed about what personal information is collected, by who and why so that consumers are able to make informed decisions.

Who regulates POPIA?

POPI is regulated by the Information Regulator.

What are the fines and penalties for non-compliance?

The fines and penalties vary depending on the offence, with a maximum of 10 years in prison or a R10 million fine.

Does POPI add anything to my constitutional right to privacy?

Every person has a constitutional right to privacy, which has many aspects (including privacy in the home, private communications and private information about a person).

POPI gives practical effect to that right insofar as it relates to personal information handled by organisations. It provides a direct mechanism through which that aspect of the right can be enforced.

Is POPI different from the GDPR?

POPI is similar to the EU’s data privacy law, called the General Data Protection Regulation but it differs in some respects. The main difference is that POPI regulates corporate personal information, where appropriate, whereas the GDPR does not.

Another interesting difference between GDPR and POPI Act is that the GDPR places direct obligations on operators (called processors) whereas the POPI Act simply says there should be a mandate in writing between the responsible party and an operator. This places immense importance on the agreements that a responsible party has with its operators.

Who are the role players in POPIA? 

POPI Infographic-Role Players-Web use

What are their responsibilities?

Under POPIA and the regulations: The Information Regulator is responsible for ensuring that their organisation complies with the POPI Act. They are a key person in any project or programme. 

A Responsibly Party is a public or private body or any other person which alone or in conjunction with others determines the purpose of and means for processing personal information.

An information regulator and responsible party (or body) must:

  • encourage compliance with conditions for the lawful processing of personal information,
  • deal with requests made pursuant to POPIA (presumably by the Information Regulator or Data Subjects),
  • work with the Regulator in relation to investigations conducted related to prior authorisations (pursuant to Chapter 6 in relation to the body),
  • otherwise, ensure compliance by the body with the provisions of POPIA,
  • develop, implement and monitor a compliance framework,
  • ensure that a personal information impact assessment is done to ensure that adequate measures and standards exist,
  • develop, monitor, maintain and make available a PAIA manual,
  • develop internal measures and adequate systems to process requests for access to information,
  • ensure that internal awareness sessions are conducted, and as may be prescribed.

These responsibilities are set out in section 55 of POPIA.

The third-party Operator is a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.

Regardless of the fact that an operator might also be a responsible party in its own right; when instructed or contracted to deliver a processing service on behalf of the responsible party for a specific purpose they act as an operator.

For more information or compliance solutions, feel free to contact us

Continue Reading
SkyData IOT

Informed Decisions and Skydata IoT partner

Informed Decisions and Skydata IoT partner to deliver greater efficiencies to a business operating in the Pharmaceutical Manufacturing arena.


Manufacturing in the pharmaceutical industry in this country is strictly governed by the South African Health Products Regulatory Authority (SAHPRA) with the Medicines Control Council (MCC) applying standards as laid down by the Medicines and Related Substances Act.

Therefore, the manufacturing process is carefully managed and monitored throughout. Over and above hygiene requirements there is also a key focus on environmental conditions such as temperature and humidity during the production life cycle.

Cross contamination between production areas is a serious risk factor that requires intense scrutiny on an ongoing basis.
Storage and sampling conditions are also crucial to the overall production process and consist of the following:

    • Climate control chambers
      • High Temp/Humidity
      • Low Temp/Humidity
    • Sample Storage (Strict storage requirements)

The compilation of digital records of environmental conditions, with audit trail capabilities, pose significant challenges for laboratories operating in this sector. Such audits are mandatory to avoid operator capturing errors due to manual processes and provide qualified reports on production quality.


The laboratories in question in this use case study operate in the pharmaceutical manufacturing industry and produce a number of products from aerosols to tablets. Although the company has a proprietary range of products it also contracts to pack for other organisations in the arena.


Informed Decisions deployed a long-range wireless network with an array of sensors that operate throughout the manufacturing and storage environments. Data is collected on a fifteen-minute cycle and presented on a custom developed platform, designed in partnership with Argility and based on its proprietary SkyData platform. The solution consists of a high-availability network device that creates a long-range private LoRa network. More than sixty individual manufacturing environments are monitored by medical industry approved sensor sets. Dashboards for the entire plant were created on the Skydata platform allowing real-time visibility of the factors being monitored. Triggers and alerts are setup on Skydata to not only display but to also email/SMS the responsible individuals for immediate resolution.


  • Continuous real-time digital monitoring and automated alarms on a visible dashboard or via email/SMS when manufacturing rooms exceed predefined parameters on:
    • Temperature
    • Differential pressure
    • Humidity
    • Door contacts
    • Climate control chambers
  • Immediate notification of critical events facilitating instantaneous response and rectification of any discrepancies.
  • Avoidance of production quality issues.
  • Ability to provide an audit trail and proof of quality processes.
  • Capability to prove that best manufacturing processes have been followed.
  • Reduction of rework/write-off of materials due to environmental issues.
  • Elimination of manual readings reducing staff time impact.
  • Minimisation of expensive annual calibration processes.
  • Increased efficiency and transparency with dashboard views and real-time alerts.
  • Audit trial capabilities that would otherwise be expensive and complex.
  • Analytics available for proactive addressing of issues in the facilities such as heating, ventilation, and air conditioning (HVAC).

Ultimately the system has saved time; increased productivity; prevented stock losses; enhanced customer trust, all of which in turn leads to competitive advantage.

For further information:

Contact one of our Business Consultants on 011 712 1300, email or visit our website, 

Download Case Study

Continue Reading
Richard Knight CFO Podcast

Richard Knight – Navigating the impact of Covid19 for ATG and its customers

Argility’s passion for innovation ensures it’s at the forefront of intelligent software and the internet of things.
Richard Knight, the Chief Financial Officer at Argility Technology Group, shares his views on navigating the impact of Covid19 for ATG and its customers, plus the need for digital transformation, with other South African CFO’s.

Continue Reading

SkyData case study